Friday, 2024-09-06

« Thursday, 2024-09-05 Index Saturday, 2024-09-07 »
opendevreviewMerged openstack/neutron master: Add trusted vif api extension for the port  https://review.opendev.org/c/openstack/neutron/+/92606801:27
opendevreviewRico Lin proposed openstack/ovn-octavia-provider master: Add OVN DB sync in OVN driver  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/92532404:51
opendevreviewRico Lin proposed openstack/ovn-octavia-provider master: Add octavia_client and sync cmd  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/92574704:51
ricolinralonsoh:  Thanks for review, the ovn-octavia sync patch updated, please kindly review again. thank you!04:58
opendevreviewRodolfo Alonso proposed openstack/neutron-lib master: Add new API extension ``uplink-status-propagation-updatable``  https://review.opendev.org/c/openstack/neutron-lib/+/92782007:07
opendevreviewRodolfo Alonso proposed openstack/neutron-lib master: Add API extension ``quota-check-limit-default``  https://review.opendev.org/c/openstack/neutron-lib/+/92677707:07
ralonsohlajoskatona, hello! 2024.2 was created yestarday, we can start adding new code for 2025.107:08
ralonsoh(for n-lib I mean)07:08
lajoskatonaralonsoh: ack, good news07:08
opendevreviewRodolfo Alonso proposed openstack/neutron master: Add new "tagging" API method: create (POST)  https://review.opendev.org/c/openstack/neutron/+/92472407:11
opendevreviewMerged openstack/os-ken master: Update master for stable/2024.2  https://review.opendev.org/c/openstack/os-ken/+/92820308:07
opendevreviewMerged openstack/ovsdbapp stable/2024.2: Update .gitreview for stable/2024.2  https://review.opendev.org/c/openstack/ovsdbapp/+/92821008:07
opendevreviewMerged openstack/ovsdbapp stable/2024.2: Update TOX_CONSTRAINTS_FILE for stable/2024.2  https://review.opendev.org/c/openstack/ovsdbapp/+/92821408:07
opendevreviewMerged openstack/neutron-lib stable/2024.2: Update .gitreview for stable/2024.2  https://review.opendev.org/c/openstack/neutron-lib/+/92818208:08
opendevreviewMerged openstack/python-neutronclient stable/2024.2: Update .gitreview for stable/2024.2  https://review.opendev.org/c/openstack/python-neutronclient/+/92822208:09
opendevreviewMerged openstack/python-neutronclient stable/2024.2: Update TOX_CONSTRAINTS_FILE for stable/2024.2  https://review.opendev.org/c/openstack/python-neutronclient/+/92822308:09
opendevreviewMerged openstack/neutron-lib stable/2024.2: Update TOX_CONSTRAINTS_FILE for stable/2024.2  https://review.opendev.org/c/openstack/neutron-lib/+/92818408:09
opendevreviewFernando Royo proposed openstack/ovn-octavia-provider master: Fix member subnet id on a fully populated LB  https://review.opendev.org/c/openstack/ovn-octavia-provider/+/92833510:30
opendevreviewMerged openstack/neutron-tempest-plugin master: Test metadata query over IPv6 only network with OVS and LB  https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/92650310:31
opendevreviewMerged openstack/neutron master: docs: The job is not in experimental but in periodic queue  https://review.opendev.org/c/openstack/neutron/+/92797110:31
opendevreviewMerged openstack/os-ken stable/2024.2: Update .gitreview for stable/2024.2  https://review.opendev.org/c/openstack/os-ken/+/92819810:44
opendevreviewMerged openstack/os-ken stable/2024.2: Update TOX_CONSTRAINTS_FILE for stable/2024.2  https://review.opendev.org/c/openstack/os-ken/+/92819911:08
opendevreviewMerged openstack/neutron stable/2024.1: Fix port_hardware_offload_type ML2 extension  https://review.opendev.org/c/openstack/neutron/+/92770712:02
opendevreviewOpenStack Release Bot proposed openstack/os-vif stable/2024.2: Update .gitreview for stable/2024.2  https://review.opendev.org/c/openstack/os-vif/+/92835313:08
opendevreviewOpenStack Release Bot proposed openstack/os-vif stable/2024.2: Update TOX_CONSTRAINTS_FILE for stable/2024.2  https://review.opendev.org/c/openstack/os-vif/+/92835513:08
opendevreviewOpenStack Release Bot proposed openstack/os-vif master: Update master for stable/2024.2  https://review.opendev.org/c/openstack/os-vif/+/92835613:08
slaweqhaleyb: hi, do we have drivers meeting today?13:45
haleybslaweq: yes, i see we have two things to discuss. i'm actually double booked but will figure it out13:46
slaweqsure, thx13:46
joahi o/ Available to discuss the spec, as ralonsoh (if i'm not mistaken) mentioned on gerrit.13:47
opendevreviewMerged openstack/os-vif master: Update master for stable/2024.2  https://review.opendev.org/c/openstack/os-vif/+/92835613:49
lajoskatonahaleyb: Hi,  do we allow features to stadiums or we are over that in the release process?13:56
haleybjoa: ack, thanks13:57
haleyblajoskatona: as in rfes? it's a good question - i guess we should but i don't remember having much come to the drivers meeting13:59
lajoskatonahaleyb: no, the ready patches, like: https://review.opendev.org/c/openstack/neutron-fwaas/+/845756 14:00
haleyblajoskatona: let's discuss after drivers14:00
haleyb#startmeeting neutron_drivers14:00
opendevmeetMeeting started Fri Sep  6 14:00:30 2024 UTC and is due to finish in 60 minutes.  The chair is haleyb. Information about MeetBot at http://wiki.debian.org/MeetBot.14:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.14:00
opendevmeetThe meeting name has been set to 'neutron_drivers'14:00
haleybPing list: ykarel, mlavalle, mtomaska, slaweq, obondarev, tobias-urdin, lajoskatona, amotoki, haleyb, ralonsoh14:00
mlavalle\o14:00
obondarevhi14:00
ralonsohhello14:00
lajoskatonao/14:01
cbuggyo/14:01
joao/14:01
haleyblike last week, i have a hard stop in :30, but i only see two things on agenda for today14:01
slaweqo/14:01
haleyb#link https://bugs.launchpad.net/neutron/+bug/207595514:02
haleybthis was from joa but i see ralonsoh had a comment on the spec14:02
haleyb#link https://review.opendev.org/c/openstack/neutron-specs/+/92752014:02
ralonsohhttps://review.opendev.org/c/openstack/neutron-specs/+/927520/comments/d17f91e8_d7ac009c14:02
haleybjust an fyi that we didn't approve the rfe but asked for the spec to get more detail14:03
ralonsohso what I commented in the review, and this is something that could be tested by the submitter, is that the spec scope can be achieved right now14:04
ralonsohbut, of course, that is something the LP bug submitter should consider and comment14:04
ralonsohmaybe there is a limitation that I didn't see14:05
joaI wanted to at least better understand the proposal, with operational implications. Fwiw, we're currently having something based on zed, which means the feature is not available out of the box for us anyways to test, and would require some backporting first .14:05
ralonsohwhat feature?14:05
ralonsohRBAC?14:05
ralonsohhttps://review.opendev.org/c/openstack/neutron/+/883246 you mean14:06
joaNo, the patch linked in the comment, which was recently merged14:06
joayes14:06
ralonsohlet's be clear on this: this feature will be implemented in master14:06
joayes, for sure. If usable, I'll have to backport it in our internal forks .14:07
joa(along with all the related shenanigans for the cli and whatnot to work)14:07
ralonsohand, btw, you don't need as an admin to create the port14:07
ralonsohthe non-admin user can create the port. And this non-admin user port will receive the default SG14:07
ralonsohand this user cannot modify the SG on the port, so you are enforcing the SG rules 14:08
ralonsoh(you==admin)14:08
joayes, that's already what I'm doing. To be frank, what the spec covers is something we're trying to POC internally at the moment, by lack of better alternative so far.14:08
joawe agree that to prevent modifying SG on the port, we'll require a patch to allow policy control on port/SG bindings ?14:08
ralonsohin any case, and because you are testing that, I'll reply to the question of the gerrit comment (I didn't check it)14:09
ralonsohthis is done14:09
joa(which is already part of a second RFE, linked in the first)14:09
ralonsohyou can define that a non-admin user cannot modify a port SG14:09
joaoh ? might have forgotten to check on master then14:09
ralonsohand by default, the default SG cannot be modify by a non-admin user14:09
joait wasn't the case in zed, and I took some time to find out how to tweak that14:09
ralonsohthe default SG belongs to a project and only the admin can modify it14:09
slaweqthose api policies are there for very long time already14:10
joaAbout the default SG, I understand that your proposal is to change that default, to allow  the network stream we need for our project. But then it'd be applied to all networks, right ?14:10
ralonsoha network belongs to a project14:11
slaweqby default we don't have policies for sg field in the port14:11
ralonsohactually several networks can belong to a single project14:11
slaweqit was for sure14:11
joaslaweq: In zed, the `enforce_policy` flag on the sg extensions to control create_port:securitygroups and update_port:securitygroup was not set.14:11
ralonsoheach port created on these networks, will receive the project default SG 14:11
slaweqyou can create custom policies in policy.yaml file always14:11
slaweqand should be respected14:12
ralonsohyou can create custom policies14:12
joaralonsoh: Sure, but we want to configure that specific service network as an admin, then share/external the network providing access to the service with specific projects14:12
slaweqit would be something like: "update_port:security_groups: rule:admin_only" if I'm not mistaken14:12
joayes, but was not available/supported in zed. maybe it has been added meanwhile though, in which case I only need to backport/replicate the behavior in our old version, until we upgrade.14:13
ralonsohthen please move to a newer version. If you implement this RFE you are proposing, you won't have it in zed14:14
ralonsohyou'll have the same problem14:14
joaralonsoh: I'm unsure how you perceive the "service network" I'm attempting to describe,  but I don't really think it'd be a good idea to change the default for a whole project, as it might have multiple networks, that shoudl ahve the original defaults instead14:14
ralonsohthen please describe, in Neutron terms, what "service network" is for you14:15
joaralonsoh: I'm aware that implementing it will mean backporting for zed anyways, which is not a big issue in itself. What we want is to diverge as little as possible from upstream in the long run14:15
joaSo, we need a shared/external network, defined by the administrator, that provides access to a service which is not managed by Openstack. The reason we're doing it this way, is that we want to be able to setup the network so that we can only share it to specific projects (not all), and to make it as easy as possible to "enable" access to the service by simply adding the network to the VMs requiring 14:16
joait.14:16
ralonsohagain, that is doable now: one project creates the shared network with a set of specific RBACs to other projects14:18
ralonsohand then the ports created on this network will have the same default SG14:18
joaAlso, we want to prevent VMs attached to this network from talking to each other: thus the restriction on adding SGs/updating SGs on the port.14:18
joaYes, we're already using rbac + policy to handle the individual sharing  and preventing updates to the SG14:19
joathe thing is: How do you offer the "default" for the port, without affecting the rest of the projects/networks/ports ?14:19
haleybSo is the difference here between a "project default SG", which applies to all ports on all the project networks, and a "network default SG" which only applies to ports on a single network, over-riding the project default SG?14:19
ralonsohthe default SG is per project, the project that created the shared network14:20
joahaleyb: yes, that's how I see it. Of course, given how I was describing it in the spec, is slightly more flexible thatn a simple "network default sg"14:20
haleybralonsoh: understood, i'm just trying to see what the ask is and if it's already doable today14:20
joaralonsoh: which is why I didn't delve into the idea of modifying the default SG. I only want that for these networks that would expose a service to some projects/VMs14:21
joa(and of course, if we have more than one, each should have their own settings)14:21
ralonsohagain: create a single project per shared network14:21
haleybralonsoh: oh, right that's one way14:21
slaweqjoa do your tenants who owns vms connected to that "shared" network have also other vms which needs to use own, different SGs?14:21
ralonsohthe default SG will apply only to each shared network port14:22
joaso, I'd need to create as many "empty" projects as the number of networks that I need different defaults for ?14:22
ralonsohwhy not?14:22
joaslaweq: Hypothetically, yes.14:22
joaralonsoh: ok that makes things clearer, I understand your point now, I missed the idea of a project per network14:23
slaweqso if you will forbid updating SGs for regular users, it will affect all the vms/ports which they have14:23
slaweqand they will not be able to set/update SGs for any of their ports14:23
slaweqis that ok for you?14:23
joaslaweq: I've fiddled with it, and found the right syntax to specify specific network ids14:23
joaso that I can create the networks, go update the policies (tbh, that's a pain, but policies don't seem to be much for dynamism at the moment), and it'd be fine14:24
joait'd look like this (quite verbose, but seemed to work during my tests):14:24
joa"custom_service_network": "'%%NETWORK_ID%%':%(network_id)s"14:24
slaweqahh, so you have policies with rules which contains some specific network_ids in the rules?14:25
joa"create_port:security_groups": "rule:admin_or_network_owner or (role:member and project_id:%(project_id)s and not rule:custom_service_network)"14:25
joa"update_port:security_groups": "rule:admin_or_network_owner or (role:member and project_id:%(project_id)s and not rule:custom_service_network)"14:25
joayes, starting from your feedback on the other RFE14:25
slaweqso with that if you as an admin will set SG rule for such port you will have what You need, right?14:25
joaprobably, in which case ralonsoh cleared up what I did not understand originally, and we may be able to do without what I offered initially. Needs to be tested and validated though14:26
joa(we're also struggling with OVN at the moment, lacking a network-savvy expert :D)14:26
slaweqand in such case we may not need this RFE to be implemented at all to address Your use case so we may not want to do it, right?14:27
ralonsohso I think we can wait for feedback on this RFE and discuss it once we have it14:28
slaweq++14:28
joaslaweq: Yes, to be confirmed. Ralonsoh: agreed.14:28
joanote that i'll be away for the next two weeks, so don't be in a hurry to hear from me x)14:28
haleybjoa: so can you investigate more based on all the great comments above :) and update the bug/spec with any notes?14:28
* haleyb thinks that was just agreed to while he was typing14:29
joathe bug sure, but how should I update the spec ? with my corrected understanding and that I'll test before closing/resuming work ?14:29
haleybjoa: if you can get it to work in the current (master) code and don't need the spec you can just abandon it14:29
joasure14:30
haleybif not we can discuss further14:30
joaJust to double check, Do I need the patch linked in the spec's discussion ?14:30
joa(I feel like I don't ?)14:31
haleyb#link https://review.opendev.org/c/openstack/neutron/+/88324614:32
haleybthat one?14:32
joayes14:32
haleybi think you do as that defines the default SG objects14:32
joaBut I can edit it on each project though, right ?14:33
haleybthat was merged in 2023.2 btw14:33
haleybi'll let slaweq answer that :)14:33
joaI means, it's a bit more manual in the setup, but I fail to see the need in itself, if I can edit the Default SG on a per-projet basis.14:33
slaweqwith this you as admin can define in neutron what SG rules will be added to every new SG created by users14:34
slaweqso if you want to make sure that every new project will have same rules in their SGs, you should use this APIs from that patch14:35
slaweqwithout that set of rules created automatically was always the same and hardcoded in neutron14:35
joaok. This was not a concern though, current default behavior so far is ok for us. Only modifying the default SG for those specific network/projects pair was important to us.14:35
joaAlright, I'll try and pass the baton to someone internally, and update the RFE/Spec with our findings when I get back :)14:36
haleybok, lets move on to other topic in agenda for today14:37
haleyb#link https://bugs.launchpad.net/neutron/+bug/207866114:37
haleybralonsoh: that was the one you added14:37
ralonsohvery quick because is trivial, but there is an API change14:37
ralonsohthe flag propagate_uplink_status can be defined in a port during the creation14:37
ralonsoh(that is for ML2/SR-IOV only)14:37
ralonsohI want to make is updatable, that's all14:37
ralonsohhttps://review.opendev.org/c/openstack/neutron-lib/+/927820/3/neutron_lib/api/definitions/uplink_status_propagation_updatable.py#3014:38
ralonsohthat also implies a change in the SRIOV agent, receiving this change14:38
ralonsohany question?14:38
obondarevlgtm +114:39
haleybralonsoh: ack. and that was going to be my second question - the sriov agent will need a change since it has work to do when updating the flag, correct?14:39
ralonsohI think (99% sure) that will work as is now14:39
ralonsohbut I'll check it, of course14:39
slaweqsounds reasonable for me14:39
haleybralonsoh: ack14:39
slaweqand straighforward14:39
slaweqso +114:39
lajoskatona+114:39
haleyb+1 from me14:39
mlavalle+114:40
ralonsohthanks folks14:40
ralonsohI have an on-demand topic14:40
ralonsohvery quick one14:40
ralonsohhttps://review.opendev.org/c/openstack/neutron/+/92672514:40
ralonsohwe said that in Antelope, we would start enforcing the quota14:40
ralonsohnot enforcing, sorry14:40
ralonsohchecking the quota before setting it, like any other project14:41
ralonsohnow we do like --force by default14:41
ralonsohI'm removing it in this patch14:41
ralonsoh(there is a warning message added 2 years ago)14:41
ralonsohwhat i'm removing here: https://review.opendev.org/c/openstack/neutron/+/926725/4/neutron/extensions/quotasv2.py14:42
ralonsohso this is not for voting, just for consideration and review, because is a significant change14:42
ralonsohthank you for reading me14:42
lajoskatonathanks ralonsoh14:43
haleybthanks, will keep an eye on review14:43
ralonsohthanks!14:43
mlavallethanks for the heads up14:43
haleybany other topics?14:44
haleybok, thanks for attending everyone and for the good discussion. have a nice weekend!14:44
haleyb#endmeeting14:44
opendevmeetMeeting ended Fri Sep  6 14:44:55 2024 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)14:44
opendevmeetMinutes:        https://meetings.opendev.org/meetings/neutron_drivers/2024/neutron_drivers.2024-09-06-14.00.html14:44
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/neutron_drivers/2024/neutron_drivers.2024-09-06-14.00.txt14:44
opendevmeetLog:            https://meetings.opendev.org/meetings/neutron_drivers/2024/neutron_drivers.2024-09-06-14.00.log.html14:44
obondarevo/14:45
ralonsohhave a nice weekend14:45
lajoskatonao/14:45
slaweqhave a good weekend14:47
slaweqo/14:48
opendevreviewRodolfo Alonso proposed openstack/neutron master: Neutron quota engine checks the resource usage by default  https://review.opendev.org/c/openstack/neutron/+/92672514:50
slaweqhaleyb hey, please check https://review.opendev.org/c/openstack/neutron/+/925402 when You will have few minutes. I added tests as you requested14:57
lajoskatonahaleyb: I reread the meeting logs from Tuesday, and there's the answer for my question, bugfixes should be merged from now only14:58
lajoskatonahaleyb: but I keep in mind to push these stadium patches (and ping the team also ;)) for the coming cycle14:59
haleyblajoskatona: yes, and we can discuss exceptions. stable/2024.2 for neutron should be created soon i'd guess, same for other projects14:59
joaI know the meeting ended, but FWIW, policies for `create_port:security_groups` and `update_port:security_groups` do not seem to be enabled in master. (neutron/extensions/securitygroups.py, in the EXTENDED_ATTRIBUTES_2_0 dict)15:01
lajoskatonahaleyb: ack, I think the owners of these patches can ask for exception, but on the other hand I am not sure if all the processes and communication difficulties make this easy for anybody15:02
joaunless the mechanism in general changed, it still requires adding the `enforce_policy: True` attribute to this dict.15:02
lajoskatonahaleyb: but short : let's focus on the stadium hanging feature pathces at the beginning of the next cycle15:02
haleyblajoskatona: sounds good15:03
opendevreviewMerged openstack/neutron-tempest-plugin master: Add tests for the 'trusted' attribute in port resource  https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/92773715:46
opendevreviewBrian Haley proposed openstack/neutron-lib master: Fix 'flavor' misspelling in VPN flavors  https://review.opendev.org/c/openstack/neutron-lib/+/92845816:48
opendevreviewMerged openstack/neutron master: [OVN] Set reside-on-chassis-redirect also for FLAT networks  https://review.opendev.org/c/openstack/neutron/+/92540216:56
opendevreviewIhar Hrachyshka proposed openstack/neutron-tempest-plugin master: Log console output on con.test_connection timeout  https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/92846016:58
opendevreviewIhar Hrachyshka proposed openstack/neutron-tempest-plugin master: Log console output on con.test_connection timeout  https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/92846017:04
opendevreviewIhar Hrachyshka proposed openstack/neutron-tempest-plugin master: refactor: Kill _verify_http_connection (dead code)  https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/92846117:07
opendevreviewIhar Hrachyshka proposed openstack/neutron master: Degrade openstack-tox-py311-with-sqlalchemy-master to periodic  https://review.opendev.org/c/openstack/neutron/+/92784717:16
opendevreviewIhar Hrachyshka proposed openstack/neutron-tempest-plugin master: refactor: Kill dead code from utils and tests  https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/92846117:27
opendevreviewMerged openstack/neutron-lib master: Add API extension ``quota-check-limit-default``  https://review.opendev.org/c/openstack/neutron-lib/+/92677719:09
opendevreviewBrian Haley proposed openstack/neutron master: DNM: Test tempest port wait patch  https://review.opendev.org/c/openstack/neutron/+/92847220:17
opendevreviewMerged openstack/neutron-lib master: Fix 'flavor' misspelling in VPN flavors  https://review.opendev.org/c/openstack/neutron-lib/+/92845821:04
opendevreviewMerged openstack/neutron master: Add new "tagging" API method: create (POST)  https://review.opendev.org/c/openstack/neutron/+/92472421:06
zigoHowdy here! New fun OpenStack cli tool: https://salsa.debian.org/openstack-team/clients/oscs21:16
opendevreviewMerged openstack/neutron master: Add L3 HA fullstack failover tests  https://review.opendev.org/c/openstack/neutron/+/91742921:18
« Thursday, 2024-09-05 Index Saturday, 2024-09-07 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!